ietf-asrg
[Top] [All Lists]

Re: [Asrg] Problems that make the RMX proposal infeasible

2003-03-07 05:30:03
Jonathan Wilkins a écrit:
Firstly, the DNS protocol is subject to spoofing.  This is a fundamental
problem with the protocol and cannot be fixed without totally changing
the protocol. This is due to the fact that the first answer with a matching request ID is accepted. Since the request ID is a 16 bit
field,
it is trivial for an attacker to send 65536 100 byte packets and provide
this answer.

This scenario is unlikely to happen on a large scale :
1) This is more related to server hacking than spamming, which means spammers will risk a lot doing that. 2) That's a 6.5MBytes bandwidth consumption for each mail server you want to spoof. And you are not sure to succeed at first try (or even globally). Got to cost a little... 3) If spammers have to eat 6.5MByte of network bandwidth to send spam to a domain for a limited time (economically costly), and that only works with some DNS server software, I consider it's a sufficient protection. 4) You also need to know if dns requests are sent from the mail server or from other dns servers for this to work. My current configuration (for example) use a DNS server not from my ISP and located in another network...

Anyway, this has to be solved at the DNS protocol level, which clearly need to be improved on this subject as you mention it, and we will benefit from it when it gets solved globally.

I think defining a new secure DNS-like protocol for that would be too much of a headache. Let DNS people solve DNS problems.

Pierre
--
          PARALLINE          ///        Parallelism & GNU/Linux
                            ///
71,av des Vosges Phone:+33 388 141 740
F-67000 STRASBOURG Fax:+33 388 141 741 http://www.paralline.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>